Mastering Nmap for Penetration Testing: Tips, Tricks, and Real-World Examples

Today I'm going to write a detailed article about Nmap. I know Nmap might be a little boring for rookie penetration testers, but it's a very useful tool that can help you locate some tasty information about your target.

Nmap is a popular network exploration and security auditing tool, is written in C, C++, Python and Java programming languages. With its advanced scanning capabilities, Nmap helps identify open ports, detect operating systems and services, and map out network topology. Whether you're a security professional, network administrator, or just curious about your own network, Nmap is a must-have tool in your arsenal for effective network analysis and security assessment.

credit:https://hackersonlineclub.com/wp-content/uploads/2019/01/Nmap-Commands.png

some use of Nmap:

• Audit the Security aspects of the network.
• Simulate Penetration tests.
• Check firewall and IDS settings and configurations.
• Tyes of possible connections.
• Network Mapping.
• response analysis.
• identify open ports.
• Vulnerability assessment as well.

Nmap Architecture

Nmap can be divided into the following scanning techniques:

• Host Discovery
• Port Scanning
• Service enumeration and detection
• OS detection
• Scriptable interaction with the target service (Nmap Scripting Engine)

Syntax

The syntax of Nmap is simple and looks like this: 

You can see all the scanning techniques that Nmap offers with the (nmap --help) command.

You can also Scan Network Range with the help of Nmap. 

Scanning Option                            Description

44.228.249.3/5                                     Target network range 

-sn                                                            Disable port Scanning

You can Scan the IP List with the: 

Scanning Option                            Description 

-sn                                                            Disable port Scanning

-iL                                                             Performs scans against the provided list (hosts.txt)

You can also Scan Multiple IPs with Nmap:

Host and Port Scanning

The information we need from the host is: 

• Open Ports and its services 
• Service Versions
• Information that service provided
• Operating system

There are a total of 6 different states for a scanned port we can obtain:

• Open 
• Closed 
• Filtered { Where Nmap can not identify port is open or closed }
• Unfiltered { Means port if accessible but it can not be determined open or closed }
• Open | filtered { firewall protect the port }
• Closed | filtered { impossible to determine if the scanned port is closed or filtered by firewall }

Discovering open TCP Ports 

By default, Nmap scans the top 1000 TCP ports with the SYN Scan (-sS), The SYN Scan is set only to default when you perform the test as a root otherwise TCP Scan (-sT) performs by default. 

we can define the port one by one (-p 22, 80, 443), by range (-p 80-443), by Top Ports (--top-ports=10), by scanning all ports (-p-), and by top 100 ports (-F).

You can also trace the packets ( send and received by Nmap) 

UDP Port Scan 

• Another handy method for scanning ports is -sV option which is used to get versions, service names, and details about our target

Saving the results 

Nmap can save the results in different formats. 

• Normal Output (-oN) with (.nmap) extension
• grepable output (-oG) with the (.gnamp) extension
• XML output (-oX) with (.xml) extension

We can also specify the option (-oA ) to save results in all formats. 

Scanning Option                            Description 

-oA target                                            save the result in all formats with the name of each file as 'target'

To Check the service Version use (-sV) tag.

• We can also increase the verbosity level (-v/-vv) which will show us the open ports directly when Nmap detect them. 

Nmap Scripting Engine 

Nmap Scripting Engine (NSE) is another handy feature of Nmap. It provides us with the possibility to create a script in Lua for interacting with the creation service.

There are a total of 14 categories into which these scripts can be divided:

1. Auth                                    Determine the authentication credentials.

2. broadcast                        Which is used for host discovery by broadcasting 

3. brute                                  Execute script that try to login to the respective service by brute forcing with credentials.

4. default                              Default script executed by using -sC

5. discovery                        Evaluation of accessible service

6. dos                                      To check for denial of service vulnerabilities 

7. exploit                               Tries to exploit known vulnerabilities for the scanned port

8. external                           Use external service for further process

9. fuzzer                                This uses script to identify vulnerabilities and unexpected packet handling by sending different field

10. intrusive                        That could negatively affect the system 

11. malware                        Check if some malware infects the target system

12. safe                                  defensive scripts 

13. version                           Extension for services detection

14. vuln                                  Identification of specific vulnerabilities

We have serval ways to define the desired script in Nmap.

Default Scripts

Specific script Category

Nmap - Aggressive Scan 

Vulnerability Assessment 

Firewall Evasion

Nmap's TCP ACK scan (-sA) method is much harder to filter for firewall and IDS/IPS system than regular SYN (-sS) or Connect scan (sT).

Decoys 

There are cases in which administrators block specific subnets from different regions in principle. In this condition, the Decoy scanning method (-D) is the right choice with this method nmap generates various random IP addresses. With this method, we can generate random (RND) a specific Number ( for example: 5) of IP address separated by a colon (:) Our real IP is then randomly placed between the generated IP. 

Scan by different Source IP

Scanning Option                            Description 

-n                                                             Disable DNS resolution

-s                                                              scan the target with different IP 

-e tun0                                                 send all request through the specified interface.

DNS Proxying

The DNS queries are made over the UDP Port 53 it TCP Port 53, Port 53 is used for "zone transfer" transfer of data larger than 512 bytes. 

* We can use TCP Port 53 as a source Port (--source-port) for our scans. If the administrator uses the firewall to control this port and does not filter IDS/IPS properly, our TCP packets will be trusted and passed through.

In conclusion, Nmap is an essential tool for anyone interested in network security and penetration testing. Its advanced scanning capabilities and ability to detect vulnerabilities and misconfigurations make it an indispensable tool for security professionals and network administrators alike. With its support for multiple platforms and scripting languages, Nmap can be customized and integrated into a variety of security workflows and automated toolchains. By using Nmap effectively, you can gain valuable insights into your network and identify potential security risks before they can be exploited. So, start exploring your network today with Nmap and take your security posture to the next level.

For more information check the Academy Hackthebox NETWORK ENUMERATION WITH NMAP Module: 

https://academy.hackthebox.com/course/preview/network-enumeration-with-nmap